Ben & Jerry's security glitch exposes personal details

Ice cream company Ben & Jerry's has apologised after an embarrassing security blunder exposed the names and addresses of more than 2,500 online customers.

The mistake was discovered by Web User reader Julee de Jong after a simple search for her name on search engine Google.

One of the top results for her name linked to a PDF containing an order she had placed in 2009 for tickets to the Ben & Jerry's Sundae Festival in London.

The PDF included her full name and postal address. From this PDF, she could gain access to a file containing order documents for over 2,500 Ben & Jerry's customers for items ranging from festival tickets to lip balms and ice cream vouchers. All orders included a full name and delivery address.

Julee told Web User: "While searching for something on Google, I was alarmed to discover an invoice for some tickets I purchased in 2009. The invoice showed my home address, which is extremely worrying. I'm sure other Ben & Jerry's online shop customers would also have been alarmed to discover their home addresses accessible via a simple Google search on their name."

Security experts say that although the PDF documents didn't contain any financial or credit card information, fraudsters could potentially use such data as a starting point.

Graham Cluley, senior technology consultant at Sophos, said: "It's worrying how many websites can leave personal information like this open for all to see. This information on its own is not enough for identity theft, but it is a stepping stone that could be used by a criminal."

Ben & Jerry's has admitted that this was an "unacceptable experience" for its customers and said it would be launching an investigation with Intashop, the company that powered its Sundae Festival tickets website.

A spokesman for Ben & Jerry's said: "We will be launching a full investigation with Intashop to find out exactly what happened and implement procedures to ensure this doesn't occur in any future Ben & Jerry's ticket sales. We have assurances from Intashop that all data has been removed and the source document destroyed."

Intashop's web manager, added: "At Intashop we take great care with customer information. It is indeed alarming that this should have to be discovered by a customer. We have now rectified the situation which occurred when we switched to a new server on the weekend. The directory with order confirmations from a period in 2009 somehow lost its security in the process. We destroyed the directory and removed all trace of the documents from internet search engines."

Intashop said it wanted to assure customers that it has installed new checking procedures to make sure "security is maintained at 100 per cent for the future as it had hereto in the past".

Ben & Jerry's has offered Julee de Jong a year's supply of ice cream as an apology.

Details of thousands of UK customers for ice cream company Ben & Jerry's were revealed online after a security glitch.
By: 
Claire Woffenden
Tags:
Back to top
Advertisement